autossl not renewing certs following change to let's encrypt

accafella

Active Member
Jan 1, 2018
25
5
3
cambridge uk
cPanel Access Level
Root Administrator
Hello, I finally bought the bullet and decided to go with Let's Encrypt to secure my mail but found it not as easy as I expected. I followed the steps in the documentation but the server is sending this alert ..

The “LetsEncrypt” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems:
DNS DCV: The DNS query to “_cpanel-dcv-test-record.domain.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=etc..."

I added a corresponding 'txt' record and waited the recommended 15 minutes but the warning messages persist.
My DNS is hosted remotely.

additionally,
"The system queried for a temporary file at, domain.com but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist."
I checked and the .well-known/acme-challenge/ directory is empty.

I'm fairly new to this and would dearly appreciate some pointers or help

thanks.
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hello,

The issue occurring here appears to be a DNS related issue. When you check the domain's IP using a site like whatsmydns.com does the IP address match the one assigned to the server you're running the DNS check from?
 

accafella

Active Member
Jan 1, 2018
25
5
3
cambridge uk
cPanel Access Level
Root Administrator
Hi and thanks for the reply.
Yes, the IP address is the same - it is shared on a VPS.

curiously though when I did a search for an MX record at mail.domain.com there were none. is that normal ? That record definitely exists.

One question I wanted to ask, maybe on another thread, is why the cpanel zone editor only allows me to create A, CNAME and MX records ? The documentation suggests that all are available and I thought creating the missing TXT record here might solve the problem but the option is not available.
Thanks again.
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
When I do a dig for any records while you do have an A record for the MX present you do not have an MX record for the domain. This would need to be added where DNS for the domain is hosted
 
  • Like
Reactions: accafella

accafella

Active Member
Jan 1, 2018
25
5
3
cambridge uk
cPanel Access Level
Root Administrator
Thanks. I have inherited this server from a far more experienced colleague but I admit some of the settings didn't make sense - such as the empty name field for the mx record. This is now fixed and the mx record is dig-able.

what I don't understand is that we have never had any issues with email not working. it's just the certificate which has only become a problem since trying to get let's encrypt to work.

I have put my zone editor question on another post in General Discussion as it will be more useful there.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Without an MX record, email senders will attempt delivery to the address record - i.e., the A record of the domain in this instance. This is discussed in RFC 5321 RFC 5321 - Simple Mail Transfer Protocol :

If an empty list of MXs is returned,
the address is treated as if it was associated with an implicit MX
RR, with a preference of 0, pointing to that host.
That's not ideal, but it does explain why your mail functions.
 

accafella

Active Member
Jan 1, 2018
25
5
3
cambridge uk
cPanel Access Level
Root Administrator
hi Lauren, please excuse my slowness, there's something I don't understand and I hope you will explain.

HTTP DCV: “[URL='http://www.mail.domain.tld/']www.mail.domain.tld[/URL]” does not resolve to any IP addresses on the internet.
so I added an mx record for www.mail.domain.tld with memset and now the dig results are correct but I re-run autoSSL and the same error appears.
so I added an mx record for www.mail.domain.tld in cpanel re-run autoSSL and still the same error
firstly, how do the cpanel and memset zone records relate to each other ?
and do I actually need www.mail.domain.tld ?

additionally ;
DNS DCV: The DNS query to “_cpanel-dcv-test-record.domain.tld” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=hashfile”.;
there actually is such a txt record, I promise
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hello,

This issue specifically for www.mail.domain.tld is a bit different than the initial issue. Which was for mail.domain.tld (without the www) this is usually accommodated by a CNAME Record pointing to mail.domain.tld, but it is not necessary to have.

The bigger portion of the issue is that the DNS DCV check can't complete, I believe that the dcv record is there unfortunately the query used to obtain it does not all access. Here is what I get when I attempt to run a curl request just to your domain (which I've removed from any output in this thread)

Code:
[[email protected] .cpanel]# curl -kvv domain.tld
[LIST]
[*]About to connect() to domain.tld port 80 (#0)
[*]Trying <IP ADDRESS>...
[*]Connected to domain.tld (<IP ADDRESS>) port 80 (#0)
[/LIST]
[QUOTE] GET / HTTP/1.1
 User-Agent: curl/7.29.0
 Host: domain.tld
 Accept: [I]/[/I]
[/QUOTE]
< HTTP/1.1 403 Forbidden
< Date: Tue, 10 Dec 2019 23:06:30 GMT
< Server: Apache
< Content-Length: 318
< Content-Type: text/html; charset=iso-8859-1
 

accafella

Active Member
Jan 1, 2018
25
5
3
cambridge uk
cPanel Access Level
Root Administrator
The curl issue may be a Wordpress security thing. I'll look into that, it would be good to check the dns handshake. I'm wondering if that's a parameter in .htaccess ?
But thanks enormously for all your help and patience. I've ended up fixing the issue with closer inspection of the autoSSL manager on WHM and checked the Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.
Embarrassingly simple really after all that - I actually do need new glasses - but thanks once again for your help.
 
  • Like
Reactions: cPanelLauren